Tuesday, January 22, 2008

The case against data retention

I've written a piece for today's Irish Examiner on the Government's data retention proposals, which it published under the headline (not chosen by me!) "Big brother will be watching... everyone". Full text:

How would you feel if someone followed you every day, writing down your movements, making a note of everyone you talked to, jotting down the address of every letter you post, and then storing that information for three years? What would you think if that system of surveillance was extended to every single person in the country? While this might sound like the stuff of science fiction, since 2002 the Government has required telephone companies to track the movements of all their users, to log details of every telephone call made and every text message sent and to store that information for three years. The Department of Justice now proposes to extend this further, to require ISPs to monitor everyone’s internet use, including details of every email or instant message we send, and every time we log on or off, and to store that information for up to two years. What’s more, it intends to do this by the stroke of a ministerial pen, with no debate before the Dáil or the Seanad.

The rather dull name for this surveillance is “data retention”. But it might be more informative to talk of “digital footprints”. As technology comes to be more and more part of our everyday lives, we leave a trail of digital footprints recording almost everything we do. Activities which once would have been private (posting a letter) may now leave a record (sending an email). Data retention laws – by storing these digital footprints – mean that the rights to privacy and freedom of expression we take for granted in the offline world might be lost in the digital age.

Of course, it is legitimate that police should have access to some call or internet data. This information can help in investigations and prosecutions. But the information stored and access to that information must be reasonable and proportionate. In particular, information should not be stored on everyone, but only on a targeted basis. Access should be granted only on the basis of a warrant, and only in respect of terrorism or serious crime. And the information should be stored for as short a period as possible, and certainly for no more than six months except in exceptional circumstances.

Indeed, in 2001 the Government accepted the need for safeguards by signing up to the Convention on Cybercrime, which achieved international agreement on a far less intrusive “data preservation” system, which would preserve evidence in individual cases without the blanket storage of information on all citizens. But the Government has since ignored that system and instead put in place laws which contain almost none of these safeguards.

Laws requiring monitoring of the entire population are astonishing in a democracy. Yet so far there has been very little public debate. One reason might be that this surveillance happens invisibly in the background. But compared to traditional surveillance it is potentially far more intrusive, and carries much greater risks of abuse. In the United Kingdom we have seen the loss of data on many millions of individuals. Here officials in the Department of Social Welfare have been found to be engaged in the systematic leaking and selling of personal information from government databases. There is no reason to think that this information will be treated any differently.

Public awareness has also been stifled by the tactics adopted by the Government. In 2002 data retention was initially brought in by a secret ministerial order, which the telephone companies were forbidden to reveal. Only after pressure from the Data Protection Commissioner was it made public. In 2005, the Minister for Justice again avoided public scrutiny by changing the law using a last minute amendment to an unrelated Bill – breaking a promise that there would be full consultation and a separate Bill for the Oireachtas to debate. Now the Department of Justice is proposing to implement a European Directive on data retention using a statutory instrument – again excluding the Dáil and the Seanad. They claim that the matter is urgent and that there is no time for legislation. But that Directive was passed in February 2006. The Department has had nearly two years to prepare a Bill and cannot now rely on its own delay to justify sidelining democratic scrutiny.

Digital Rights Ireland has brought a High Court challenge to these Irish and European data retention laws, which will ultimately decide whether surveillance of the entire population can be compatible with the rights to privacy and freedom of expression under our Constitution and the European Convention on Human Rights. Until then, however, there should at a minimum be full public awareness and discussion. And in the case of the Department of Justice proposals, at the very least any extension of these laws to the Internet should be by primary legislation and following a debate in the Oireachtas.

I completely agree with what you said about electronic information being retained if it is reasonable and proportionate. There are absolutely instances in which this can be helpful and beneficial, but to pass a law of this magnitude without justification seems a blatant violation of a persons right to privacy. I run an email archiving and email compliance blog and I was happy to reference your commentary. Thanks for producing such great work. I'd be curious to get your opinion on the consequences of this whole situation playing out.